PIA: Port forwarding obtaining signature payload timeout

[MillsyBot]

Hello!

First off: thanks for making such a cool product!

Now to business: I have been using PIA (sans port forwarding) for sometime and have really enjoyed it. I am attempting now to add the port forwarding feature for a current use case that I have. I believe that I have configured things properly, however it is quite possible that I missed something. Here are the relevant environment variables

VPN_PORT_FORWARDING=on
FIREWALL_VPN_INPUT_PORTS=
VPN_ENDPOINT_PORT=
VPN_PORT_FORWARDING_PROVIDER=private internet access
FIREWALL_INPUT_PORTS=
VPN_PORT_FORWARDING_STATUS_FILE=/gluetun/forwarded_port
VPN_PORT_FORWARDING_LISTENING_PORT=0

And here are the logs that I am getting.

2024-01-15T21:18:34-07:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-01-15T21:18:34-07:00 INFO [port forwarding] starting
2024-01-15T21:19:04-07:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.31.110.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I have verified on a few locations that claim they support port forwarding, however the results are the same. I attempted to reach the 10.31.110.1 port 19999 from inside the gluetun container, and that was also a bust.

Thanks in advance for any help. Sorry if this one is too obvious!

[qdm12]

Hi there! I am not sure, I was going to say this VPN server probably doesn't support port forwarding... What server hostname/ip are you using, just to double check? If anyone else has the same issue, please chime in as well, thanks!

[MillsyBot]

Hey! Thanks for the response.

SERVER_NAMES=vancouver433
SERVER_HOSTNAMES=ca-vancouver.privacy.network
SERVER_REGIONS=CA Vancouver

I have been using Vancouver to make the attempts, however I have cycled a few different servers in various regions (Venezuela, Mexico, Norway).

Is there a preferred or recommended order of preference on these variables? like only use SERVER_NAMES or use all three or use only one?

[ZulliB]

I have been dealing with the same issue for a while and here is the error I get:

gluetun-public  | 2024-01-29T12:14:05-08:00 WARN [port forwarding] Forwarded port data expired on Wed, 10 Jan 2024 16:56:07 UTC, getting another one
gluetun-public  | 2024-01-29T12:14:06-08:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.27.110.1:19999/getSignature?token=<token>": dial tcp 10.27.110.1:19999: connect: connection refused

I assume the token is actually being passed and the token isn't literal. here is my relevant options: (running the latest version)

      - VPN_TYPE=openvpn
      - OPENVPN_PROCESS_USER=root
      - VPN_SERVICE_PROVIDER=private internet access
      - SERVER_REGIONS=CA Vancouver
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=private internet access
      - PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=strong
      - FIREWALL=on

Hope some of this helps. Thank you for a great application.

[anorth2]

+1 with connection refused . I confirmed I am using a server with port forwarding by manually testing in the PIA UI and receiving a forwarded port.

[anorth2]

This could be related @qdm12 :

https://www.reddit.com/r/PrivateInternetAccess/comments/p0n7ge/cant_get_signature_for_port_forwarding_connection/
https://github.com/triffid/pia-wg/blob/master/pia-portforward.sh#L70-L72

[ZulliB]

This could be related @qdm12 :

https://www.reddit.com/r/PrivateInternetAccess/comments/p0n7ge/cant_get_signature_for_port_forwarding_connection/ https://github.com/triffid/pia-wg/blob/master/pia-portforward.sh#L70-L72

Nice find. One thing I noticed is that gluetun is trying to get the signature from the gateway, which makes sense according to PIA's comments here.
Although, in the actual request they use PF_HOSTNAME and not PF_GATEWAY here.
Even in the scripts you linked to appear to be using the domain name of the region server i.e. ca-vancouver.privacy.network

Hopefully it's not a red herring.

[qdm12]

@MillsyBot your error was Client.Timeout exceeded while awaiting headers so not connection refused, is this resolved now?

@anorth2 @ZulliB Your issue connection refused might be different from the original issue. If PIA port forwarding would be broken in Gluetun, I would expect more people to ask about it 🤔 Plus it was working before.
Since the gateway is 10.27.110.1, would you be using 10.0.0.0/8 as your local Docker bridge network for example? These can conflict with the gateway.

@ZulliB The curl command they have

curl -s -m 5 \
    --connect-to "$PF_HOSTNAME::$PF_GATEWAY:" \
    --cacert "ca.rsa.4096.crt" \
    -G --data-urlencode "token=${PIA_TOKEN}" \
    "https://${PF_HOSTNAME}:19999/getSignature"

Actually connects to PF_GATEWAY (see --connect-to), PF_HOSTNAME is just used as an alias and to validate the TLS name.

Anyway, I also changed code so it communicates with the public VPN server IP address instead of the local gateway for PIA, in image qmcgaw/gluetun:pr-2254 can you try it? Thanks!

[MillsyBot]

I pulled the image with the changes and it looks like it is getting "further" than before

2024-05-07T11:21:40-06:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://208.78.42.180:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

root@doctor-ddos:/home/amills/htpc# docker exec -it gluetun sh
/ # wget https://208.78.42.180:19999/
--2024-05-07 11:24:29--  https://208.78.42.180:19999/
Connecting to 208.78.42.180:19999... ^C
/ # wget https://ca-vancouver.privacy.network:19999
--2024-05-07 11:24:59--  https://ca-vancouver.privacy.network:19999/
Resolving ca-vancouver.privacy.network (ca-vancouver.privacy.network)... 208.78.42.215, 89.149.52.23, 208.78.42.213
Connecting to ca-vancouver.privacy.network (ca-vancouver.privacy.network)|208.78.42.215|:19999... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-05-07 11:25:00 ERROR 404: Not Found.

/ # wget https://208.78.42.180:19999/
--2024-05-07 11:25:07--  https://208.78.42.180:19999/
Connecting to 208.78.42.180:19999... ^C
/ # wget https://ca-vancouver.privacy.network:19999/getSignature?token=
--2024-05-07 11:25:27--  https://ca-vancouver.privacy.network:19999/getSignature?token=
Resolving ca-vancouver.privacy.network (ca-vancouver.privacy.network)... 208.78.42.213, 208.78.42.215, 89.149.52.23
Connecting to ca-vancouver.privacy.network (ca-vancouver.privacy.network)|208.78.42.213|:19999... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.
/ #

From inside the container I attempted to use the host name and the original IP. Seems like the host name properly resolves the endpoint.

Am I passing the wrong variables as env settings?

[qdm12]

Can you try pulling qmcgaw/gluetun:pr-2254 and check if it works now? It's now using the server hostname to get the signature and bind the port. I'm not sure why resolving ca-vancouver.privacy.network gives IP addresses different than the ones given by PIA's API https://serverlist.piaservers.net/vpninfo/servers/v5 but using the hostname should fix at least the /getSignature part I think.

[MillsyBot]

2024-05-23T21:06:15-06:00 INFO [ip getter] Public IP address is 208.78.42.180 (Canada, British Columbia, Coquitlam)
2024-05-23T21:06:15-06:00 INFO [vpn] There is a new release v3.38.0 (v3.38.0) created 59 days ago
2024-05-23T21:06:15-06:00 INFO [port forwarding] starting
2024-05-23T21:06:16-06:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: HTTP status code is not OK: https://ca-vancouver.privacy.network:19999/getSignature?token=<token>: 401 401 Unauthorized: response received: {  "status": "ERROR",  "message": "Unauthorized client"}

Almost there. I literally posted the log line, so is literally being output. Does the logging agent obfuscate the token?

[xtinct101]

Hi, just to jump onto this thread instead of starting a new one. It seems that PIA port forwarding is not supported when using the "custom" service provider to connect to PIA via wireguard.

[qdm12]

@MillsyBot thanks for the feedback! Also sorry for the long delay answering this 😢

Does the logging agent obfuscate the token?

Yes it does 🎊 😕

Does it work with curl https://ca-vancouver.privacy.network:19999/getSignature?token=yourtoken , replacing yourtoken? You should be able to get your token with the following curl command, replacing yourpass and youruser with your Openvpn credentials.

curl -X POST -H 'Content-Type application/x-www-form-urlencoded' --data 'password=yourpass&username=youruser' https://www.privateinternetaccess.com/api/client/v2/token

Maybe even outside the VPN tunnel. For reference the 'fetchToken' function in Gluetun is at

gluetun/internal/provider/privateinternetaccess/portforward.go

Line 239 in 4218dba

func fetchToken(ctx context.Context, client *http.Client,

[MillsyBot]

Attempted with the new build and i got the following error

2024-06-17T09:30:47-06:00 INFO [ip getter] Public IP address is X.X.X.X (Canada, British Columbia, Vancouver)
2024-06-17T09:30:47-06:00 INFO [vpn] There is a new release v3.38.0 (v3.38.0) created 83 days ago
2024-06-17T09:30:47-06:00 INFO [port forwarding] starting
2024-06-17T09:30:48-06:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: HTTP status code is not OK: https://ca-vancouver.privacy.network:19999/getSignature?token=<token>: 401 401 Unauthorized: response received: {  "status": "ERROR",  "message": "Unauthorized client"}

Using the curl method described above the results are similar

{
    "status": "ERROR",
    "message": "Unauthorized client"
}

Has this moved, now, to an issue with either my subscription or with PIA?

[xtinct101]

Not sure what is different for me, but when I try using port forward on openvpn it seems to work just fine.

gluetun  | 2024-06-17T21:05:38.274723451Z 2024-06-17T21:05:38Z INFO [ip getter] Public IP address is 140.228.21.147 (Canada, Quebec, Montréal)
gluetun  | 2024-06-17T21:05:38.772714587Z 2024-06-17T21:05:38Z INFO [vpn] You are running on the bleeding edge of latest!
gluetun  | 2024-06-17T21:05:38.772748512Z 2024-06-17T21:05:38Z INFO [port forwarding] starting
gluetun  | 2024-06-17T21:05:39.789600351Z 2024-06-17T21:05:39Z INFO [port forwarding] Port forwarded data expires in 62 days
gluetun  | 2024-06-17T21:05:39.875325244Z 2024-06-17T21:05:39Z INFO [port forwarding] port forwarded is 25984
gluetun  | 2024-06-17T21:05:39.875369710Z 2024-06-17T21:05:39Z INFO [firewall] setting allowed input port 25984 through interface tun0...

This is on the latest build, not even using the PR.
The interesting thing is, when I change it to vancouver or montreal it wont even connect for me. I tried updating the server list using, https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list, but it still halts on this.

gluetun  | 2024-06-17T21:08:48.586132017Z 2024-06-17T21:08:48Z INFO [openvpn] OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
gluetun  | 2024-06-17T21:08:48.586135144Z 2024-06-17T21:08:48Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
gluetun  | 2024-06-17T21:08:48.586904043Z 2024-06-17T21:08:48Z INFO [openvpn] CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
gluetun  | 2024-06-17T21:08:48.586912563Z 2024-06-17T21:08:48Z INFO [openvpn] xxxx
gluetun  | 2024-06-17T21:08:48.586925976Z 2024-06-17T21:08:48Z INFO [openvpn] -----END X509 CRL-----
gluetun  | 2024-06-17T21:08:48.586995179Z 2024-06-17T21:08:48Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]208.78.42.164:1197
gluetun  | 2024-06-17T21:08:48.587007861Z 2024-06-17T21:08:48Z INFO [openvpn] UDPv4 link local: (not bound)
gluetun  | 2024-06-17T21:08:48.587024341Z 2024-06-17T21:08:48Z INFO [openvpn] UDPv4 link remote: [AF_INET]208.78.42.164:1197
gluetun  | 2024-06-17T21:08:48.581087407Z 2024-06-17T21:08:48Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN

My issue is different as I'm trying to get this working using wireguard but maybe it all connected?!

[qdm12]

Interesting input @xtinct101 maybe it is working as intended currently 🤔 @MillsyBot have you tried with another VPN server? Also your Docker network or LAN wouldn't conflict with the VPN gateway 10.31.110.1 right?

I re-checked PIA's scripts and it didn't change so the current code (latest image/master branch) should still be working by connecting to the gateway ip address, using the server name as TLS name to verify against.

@xtinct101 I'm re-opening your original issue, since it might well be something different, my bad for thinking it was the same!

[xtinct101]

As I stated when using montreal it works fine, when i try toronto or vancouver, using openvpn, it wont connect but it also doesnt error out, it just restarts the container.

gluetun  | 2024-06-17T21:08:48.586132017Z 2024-06-17T21:08:48Z INFO [openvpn] OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
gluetun  | 2024-06-17T21:08:48.586135144Z 2024-06-17T21:08:48Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
gluetun  | 2024-06-17T21:08:48.586904043Z 2024-06-17T21:08:48Z INFO [openvpn] CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
gluetun  | 2024-06-17T21:08:48.586912563Z 2024-06-17T21:08:48Z INFO [openvpn] xxxx
gluetun  | 2024-06-17T21:08:48.586925976Z 2024-06-17T21:08:48Z INFO [openvpn] -----END X509 CRL-----
gluetun  | 2024-06-17T21:08:48.586995179Z 2024-06-17T21:08:48Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]208.78.42.164:1197
gluetun  | 2024-06-17T21:08:48.587007861Z 2024-06-17T21:08:48Z INFO [openvpn] UDPv4 link local: (not bound)
gluetun  | 2024-06-17T21:08:48.587024341Z 2024-06-17T21:08:48Z INFO [openvpn] UDPv4 link remote: [AF_INET]208.78.42.164:1197
gluetun  | 2024-06-17T21:08:48.581087407Z 2024-06-17T21:08:48Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN

[qdm12]

@MillsyBot The more I read this together with @xtinct101 comments, my conclusions are:

• ca-vancouver.privacy.network:19999 replies 401 unauthorized since you are indeed not authorized. Your token is to communicate with gateway:19999, not ca-vancouver.privacy.network:19999
• reaching gateway:19999 plainly doesn't work (it hangs) and that likely is due to a network conflict (your Docker networks, your LAN?)

@xtinct101 Oh indeed, sorry I got confused by (the still confusing 😄)

(Canada, Quebec, Montréal)
The interesting thing is, when I change it to vancouver or montreal it wont even connect for me

Anyway let's continue the conversation back on your issue 😉 Thanks again

[MillsyBot]

bridge 172.17.0.0/16
code-server_default 172.23.0.0/16
docker-dexcom_default 192.168.112.0/20
homepage_default 172.24.0.0/16
htpc_default 172.31.0.0/16
monitoring_default 172.20.0.0/16
photoprism_default 172.22.0.0/16
pihole_default 172.25.0.0/16
plex_default 172.28.0.0/16
unifi_default 172.19.0.0/16

I don't see a network that would conflict with any 10/8. My home network is all 192.168. networks.

[qdm12]

@MillsyBot When running Gluetun, what do you get from docker exec gluetun /bin/sh -c "ip route show all"? I'm curious to see, maybe the code I wrote doesn't detect the VPN gateway IP address correctly 🤔 That could explain the client timeout error, since it's trying to reach the wrong ip address.

EDIT: also, you are using OpenVPN correct?

[MillsyBot]

root@d# docker exec gluetun /bin/sh -c "ip route show all"
0.0.0.0/1 via 10.19.110.1 dev tun0
default via 172.17.0.1 dev eth0
10.19.110.0/24 dev tun0 proto kernel scope link src 10.19.110.73
128.0.0.0/1 via 10.19.110.1 dev tun0
140.228.21.88 via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3

root@d# docker exec gluetun /bin/sh -c "dig ca-montreal.privacy.network +short"
172.98.71.13
84.247.105.88
140.228.24.188

024-06-17T20:58:22-06:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: private internet access
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: openvpn
|   |   |   ├── Regions: CA Montreal
|   |   |   ├── Server names: montreal420
|   |   |   ├── Hostnames: ca-montreal.privacy.network
|   |   |   └── OpenVPN server selection settings:
|   |   |       ├── Protocol: UDP
|   |   |       └── Private Internet Access encryption preset: strong
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use code for provider: private internet access
|   |       └── Forwarded port file path: /gluetun/forwarded_port
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Private Internet Access encryption preset: strong
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       ├── Verbosity level: 1
|       └── Flags: [--fast-io --sndbuf 512000 --rcvbuf 512000 --txqueuelen 2000]
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       ├── 10.0.0.0/8
|       ├── 192.168.0.0/16
|       └── 172.16.0.0/12
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User:
|   ├── Password: [not set]
|   ├── Stealth mode: no
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: America/Denver
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes

Yes, I am using OpenVPN.

[qdm12]

|   └── Outbound subnets:
|       ├── 10.0.0.0/8

That might conflict, can you try removing it? That's as I recall the FIREWALL_OUTBOUND_SUBNETS variable

[MillsyBot]

├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       ├── 192.168.0.0/16
|       └── 172.16.0.0/12
├── Log settings:
|   └── Log level: info

Same

2024-06-18T15:51:08-06:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: HTTP status code is not OK: https://ca-montreal.privacy.network:19999/getSignature?token=<token>: 401 401 Unauthorized: response received: {  "status": "ERROR",  "message": "Unauthorized client"}

[qdm12]

But switch back to the latest image instead (using the gateway IP address, not the vpn server hostname)

[MillsyBot]

2024-06-19T18:16:50-06:00 INFO [port forwarding] Port forwarded data expires in 62 days
2024-06-19T18:16:50-06:00 INFO [port forwarding] port forwarded is 27292
2024-06-19T18:16:50-06:00 INFO [firewall] setting allowed input port 27292 through interface tun0...
2024-06-19T18:16:50-06:00 INFO [port forwarding] writing port file /gluetun/forwarded_port

Everything works.

Thanks for the patience!

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

[MrColoo]

Hi same problem here with Wireguard + PIA. Port forwarding seems to not work. How could I solve it?

├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: wireguard
|   |   |   ├── Target IP address: target ip
|   |   |   ├── Server names: name
|   |   |   └── Wireguard selection settings:
|   |   |       ├── Endpoint IP address: ip
|   |   |       ├── Endpoint port: port
|   |   |       └── Server public key: publickey
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use code for provider: private internet access
|   |       ├── Forwarded port file path: /tmp/gluetun/forwarded_port.txt
|   |       └── Credentials:
|   |           ├── Username: username
|   |           └── Password: [set]
|   └── Wireguard settings:
|       ├── Private key: WGG...nQ=
|       ├── Interface addresses:
|       |   └── int ip
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes

2024-07-22T17:29:54Z INFO [port forwarding] starting
2024-07-22T17:30:09Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching token: Post "https://www.privateinternetaccess.com/api/client/v2/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-07-22T18:06:17Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.5.246.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

services:      
   gluetun:
    image: qmcgaw/gluetun
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=ip
      - VPN_ENDPOINT_PORT=port
      - WIREGUARD_PRIVATE_KEY=...
      - WIREGUARD_PUBLIC_KEY=...
      - WIREGUARD_ADDRESSES=address
      - SERVER_NAMES=name
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=private internet access
      - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port.txt
      - VPN_PORT_FORWARDING_USERNAME=user
      - VPN_PORT_FORWARDING_PASSWORD=pass
      #- FIREWALL_VPN_INPUT_PORTS=3094
    restart: always

[qdm12]

@MrColoo see issue #2320 🙏

[djtecha]

this thread was useful but I'm still stuck on the same issue the OP is on using pr-2254 Keep getting the 401 error. Is there anyway I can help with this problem?

2024-08-07T01:26:53Z ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: HTTP status code is not OK: https://ca-ontario.privacy.network:19999/getSignature?token=<token>: 401 401 Unauthorized: response received: {  "status": "ERROR",  "message": "Unauthorized client"}

        env:
          OPENVPN_USER:
            secretKeyRef:
              expandObjectName: false
              name: vpn-credentials
              key: username
          OPENVPN_PASSWORD:
            secretKeyRef:
              expandObjectName: false
              name: vpn-credentials
              key: password
          DOT: off
          FIREWALL_OUTBOUND_SUBNETS: 10.0.0.0/8
          DNS_PLAINTEXT_ADDRESS: 10.0.0.243
          PORT_FORWARD_ONLY: true
          VPN_PORT_FORWARDING: on
          VPN_PORT_FORWARDING_PROVIDER: "private internet access"
          VPN_SERVICE_PROVIDER: "private internet access"
          SERVER_REGIONS: CA Ontario

The tunnel comes up but no PF sadly.

[qdm12]

Perhaps try removing the value for FIREWALL_OUTBOUND_SUBNETS?

EDIT: I don't monitor closed issues, so you will likely not get another response